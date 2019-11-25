from the software-freedom dept.
Software Engineer Nikita Prokopov delves into how programs have changed over recent years from doing our bidding to working against us, controlling us. This adverse change has been ushered in through requiring accounts, update processes, notifications, and on-boarding procedures.
This got so bad that when a program doesn't ask you to create an account, it feels refreshing.
"Okay, but accounts are still needed to sync stuff between machines."
Wrong. Syncthing is a secure, multi-machine distributed app and yet doesn't need an account.
"Okay, but you still need an account if you pay for a subscription?"
Mullvad VPN accepts payments and yet didn't ask me for my email.
These new, malevolent programs fight for attention rather than getting the job done while otherwise staying out of the way. Not only do they prioritize "engagement" over its opposite, "usability", they also tend to push (hostile) agendas along the way.
Bruce Perens is working on licensing for a new, post-Open Source era to take open source licensing past the apparent stalling point it has reached on its way towards software freedom. As he noted earlier, current licenses are not meeting that goal and businesses have either found loophole or just plain been allowed to ignore the licensing. A move more towards a contract is needed.
At the link below is the first draft of the Post-Open License. This is not yet the product of a qualified attorney, and you shouldn't apply it to your own work yet. There isn't context for this license yet, so some things won't make sense: for example the license is administered by an entity called the "POST-OPEN ADMINISTRATION" and I haven't figured out how to structure that organization so that people can trust it. There are probably also terms I can't get away with legally, this awaits work with a lawyer.
Because the license attempts to handle very many problems that have arisen with Open Source licensing, it's big. It's approaching the size of AGPL3, which I guess is a metric for a relatively modern license, since AGPL3 is now 17 years old
The draft license is quite long since it covers quite a few scenarios.
Here are two related essays on software freedom in light of the current environment where platform decay has become the norm.
Lead developer of Linux-Libre, FSFLA board member, and previous FSF board member, Alexandre Oliva wrote a piece back in June about platform decay (also known colloquially as enshittification) and how to fight it through software freedom. It's from his May 5th, 2024 LibrePlanet presentation with the same title ( video and slides ). This weekend, developer Daniel Cantarín wrote a follow up addressing the nature of software freedom and the increasing communication, philosophical, and political barriers to actually achieving software freedom.
The two essays are essentially in agreement but raise different points and priorities.
Alexandre Oliva's essay includes the following:
[...] Software (static) enshittification
Back in the time when most users could choose which version of a program they wanted to run, upgrading software was not something that happened automagically. Installing a program involved getting a copy of its installable media, and if you wanted to install a newer version, you had to get a copy of the installable media for the newer version.
You could install them side by side, and if you found that the newer version was lacking some feature important to you, or it didn't serve you well, you could roll back to the older version.
This created a scenario in which the old and the new versions competed for users, so in order for the newer version to gain adoption, it had to be more attractive to users than the older one. It had to offer more interesting features, and if it dropped features or engaged in enshittification, it would need even more interesting features to make up.
This limits how much enshittification can be imposed on users in newer versions. It was much harder to pull feature from under users in that static arrangement.
Software (dynamic) enshittification
But now most users are mistreated with imposed updates, and since they are required to be online all the time, they are vulnerable all the time, and they can't go back to an earlier version that served them well. The following are the most enshittifiable arrangements to offer computing facilities to users. Most enshittifiable so far, Homer Simpson would presumably point out.
Apps that run on remotely-controlled telephones (TRApps) and that are typically automatically updated from exclusive app stores, and their counterparts that run on increasingly enshittified computers (CRApps) are cases in which the programs are installed on your own computer, but are controlled by someone else. They've come to be called apps, so that you'll think of them as appliances rather than as something you can and should be able to tinker with.
Web sites that, every time you visit them, install and demand to run Javascrapped programs on your computer, are a case in which, even if the program is technically Free Software, in this setting, someone else controls which version you get to run, and what that version does.
And then, there are the situations in which, instead of getting a copy of a program, you're offered a service that will do your computing for you, under somebody else's control, substituting software that could have been respectful of your freedom. [...]
Andrew Eikum has updated his blog post on passkeys. The revised title, Passkeys are incompatible with open-source software (was: "Passkey marketing is lying to you"), says it all.
Update: After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom:
When required, the authenticator must perform user verification (PIN, biometric, or some other unlock mechanism). If this is not possible, the authenticator should not handle the request.
This implementation is not spec compliant and has the potential to be blocked by relying parties.
Then you should require its use when passkeys are enabled … [You may be blocked because] you have a passkey provider that is known to not be spec compliant.
I suspect we’ll see [biometrics] required by regulation in some geo-regions.
I’ll leave the rest of the blog post as it was below, but I no longer think Passkeys are an acceptable technology. The spec authors’ statements, refusal to have a public discussion about the issues, and Passkey’s marketing, have all shown this tech is intended to support lock-in to proprietary software. While open source implementations are allowed for now, attestation provides a backdoor to lock the protocol down only to blessed implementations.
So long as the Passkey spec provides the attestation anti-feature, Passkeys are not an acceptable authentication mechanism. As a result, I’ve deleted the Passkeys I set up below in order to avoid increasing their adoption statistics.
Passkeys are cryptographic credentials marketed as operating through locally executed programs to provide authentication for remote systems and services. They are sometimes additionally tied to biometrics or hardware tokens. The jury is still out as to whether they actually improve security, or will merely continue as another vehicle for vendor lock-in. It's looking more like the latter.
https://hackaday.com/2025/10/22/what-happened-to-running-what-you-wanted-on-your-own-machine/
https://archive.ph/6i4vr
When the microcomputer first landed in homes some forty years ago, it came with a simple freedom—you could run whatever software you could get your hands on. Floppy disk from a friend? Pop it in. Shareware demo downloaded from a BBS? Go ahead! Dodgy code you wrote yourself at 2 AM? Absolutely. The computer you bought was yours. It would run whatever you told it to run, and ask no questions.
Today, that freedom is dying. What's worse, is it's happening so gradually that most people haven't noticed we're already halfway into the coffin.
The latest broadside fired in the war against platform freedom has been fired. Google recently announced new upcoming restrictions on APK installations. Starting in 2026, Google will tightening the screws on sideloading, making it increasingly difficult to install applications that haven't been blessed by the Play Store's approval process. It's being sold as a security measure, but it will make it far more difficult for users to run apps outside the official ecosystem. There is a security argument to be made, of course, because suspect code can cause all kinds of havoc on a device loaded with a user's personal data. At the same time, security concerns have a funny way of aligning perfectly with ulterior corporate motives.
[...] The walled garden concept didn't start with smartphones. Indeed, video game consoles were a bit of a trailblazer in this space, with manufacturers taking this approach decades ago. The moment gaming became genuinely profitable, console manufacturers realized they could control their entire ecosystem. Proprietary formats, region systems, and lockout chips were all valid ways to ensure companies could levy hefty licensing fees from developers. They locked down their hardware tighter than a bank vault, and they did it for one simple reason—money. As long as the manufacturer could ensure the console wouldn't run unapproved games, developers would have to give them a kickback for every unit sold.